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- The MAILING DATE of this communication appears on the cover shoot with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 

THE MAILING DATE OF THIS COMMUNICATION. , 

- Extensions of time may be available under the provisions of 37 CFR 1 .1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 

- Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )M Responsive to comnnunication(s) filed on 29 March 2004 . 
2a)[3 This action is FINAL. 2b)n This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 
Disposition of Claims 

4) 13 Claim(s) 1-63 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) \3 Claim(s) is/are allowed. 

6) 13 Claim(s) 1-63 is/are rejected. 
/)□ Claim(s) is/are objected to. 

8) 0 Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) 0 The drawing(s) filed on is/are: a)n accepted or b)^ objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 

11) 0 The proposed drawing correction filed on is: 3)\3 approved b)n disapproved by the Examiner 

If approved, corrected drawings are required in reply to this Office action. 

12) n The oath or declaration is objected to by the Examiner. 
Priority under 35 U.S.C. §§119 and 120 

13) n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 

a)nAII b)n Some*c)n None of: 

1 .□ Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

14) 0 Acknowledgment is made of a claim for domestic priority under 35 U.S.C. § 1 19(e) (to a provisional application). 

a) □ The translation of the foreign language provisional application has been received. 

15) 0 Acknowledgment is made of a claim for domestic priority under 35 U.S.C. §§ 120 and/or 121. 

Attachment(s) 

1 ) M Notice of References Cited (PTO-892) 4) D Interview Summary {PTO-41 3) Paper No(s). . 

2) n Notice of Draftsperson's Patent Drawing Review (PTO-948) 5) E] Notice of Informal Patent Application (PTO-152) 

3) □ Information Disclosure Statement(s) (PTO-1449) Paper No(s) . 6) □ Other: 
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Part of Paper No. 6 



DETAILED ACTION 

L Claims 1-63 are pending. 

Response to arguments 

2. Applicant argues (page 10, last paragraph - page 1 1 first paragraph): 

More specifically, the Office action provided inter aha that "since the claim does not set 
forth any steps involved in the method/process, it is unclear what method/process 
applicant is intending to encompass " 

Applicants submit that claim 1 clearly recites steps involved in the method "for control 
and maintenance of operational organization structure." Particularly, the method of claim 
1 comprises steps of "electronically" "associating entities with cryptographic 
capabilities", "organizing entities within the organizational structure as roles", and 
"maintaining roles within the organizational structure." Accordingly, the rejection of 
claim 1, under 35 § USC 1 12, second paragraph is traversed and applicants submit that 
claim 1 is allowable. 

Applicant's arguments with respect to claim 1 have been considered but are moot in view 
of the new ground(s) of rejecfion under 35 § USC 1 12, first paragraph. 

Applicant's arguments, see page 1 1, paragraphs 3-6, filed3/29/04, with respect to Claim 1 
have been fully considered and are persuasive. The rejection of claim 1 under 35 § USC 
101 10/28/03 has been withdrawn. 
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Applicant(page 12, paragraph 2) further argues 

For example, the teachings of Lampson et al. fail to at least disclose, teach, or suggest a "method 
for control and maintenance of an operational organizational structure," comprising "associating 
entities with cryptographic capabilities", "organizing entities within the organizational structure 
as roles", and "maintaining roles within the organizational structure" as recited in independent 
claim 1 and its dependent claims 1-4, 6-10, and 13-15. 

Lampson et al. merely disclose a theory of authentication and a system that implements 

it. 

The Examiner maintains that Lampson et al. does indeed teach, or suggest a "method for control 
and maintenance of an operational organizational structure," comprising "associating entities 
with cryptographic capabilities", "organizing entities within the organizational structure as 
roles", and "maintaining roles within the organizational structure". Applicant argues that 
Lampson merely discloses a theory of authentication and a system that implements it. The 
Examiner maintains that "the theory of authentication and system that implements it" is the 
"method" in which a system in which an operational organization structure is controlled, where 
the operational structure is the structure of the authentication system that needs to be maintained 
as disclosed by Lampson et al. The Examiner further maintains that a certification authority is 
clearly an entity with a cryptographic capability that is "associated with the organization" and 
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with a very specific role that must be "maintained" in order for Lamp son et al's theory or 
"method" to work. 

Further and more specifically, applicants' submit that Lampson et al. fail to disclose, teach or 
suggest organizing entities within an organization structure as roles, entities which have 
associated cryptographic capabilities. While Lampson et al disclose an authentication system 
that may be applied to an organization, Lampson et al fail to disclose any method for organizing 
entities with an organization as roles. The only roles Lampson et al. discuss are roles, for 
principals, that appear to be supplied to the authentication system of Lampson et al See, eg p. 
268 of Lampson et al. as cited by the office action. Lampson et al. provide no disclosure, 
suggestion or teaching regarding organization entities within an organizational structure as roles 
as recited in claim 1 . 

The Examiner maintains the position that the roles that Lampson et al. discusses are roles for 
principals, where the principals themselves are "entities" 

Applicant's arguments filed 3-29-04 have been fully considered but they are not persuasive. 



Claim Rejections - 35 USC § 112 

3. The following is a quotation of the first paragraph of 35 U.S.C. 112: 
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The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

Claims I rejected under 35 U.S. C. 112, first paragraph, as failing to comply with the 
enablement requirement. The claim(s) contains subject matter which was not described in the 
specification in such a way as to enable one skilled in the art to which it pertains, or with which 
it is most nearly connected, to make and/or use the invention. The specification fails to illustrate 
how the method for control and maintenance of an operational organization structure is 
"electronically" implemented.. 

Claim 1 is further rejected under 35 U.S.C. 1 12, first paragraph, as based on a disclosure 
which is not enabling. Any subject matter illustrating how the method for control and 
maintenance may be implemented electronically are critical or essential to the practice of the 
invention, but not included in the claim(s) is not enabled by the disclosure. See In re Mayhew, 
527 F.2d 1229, 188 USPQ 356 (CCPA 1976). 



Claim Rejections - 35 USC § 102 

4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 

basis for the rejections under this section made in this Office action: 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, nnore than one year prior to the date of application for patent in the United 
States. 
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5. Claims 1-10, 13-39, 41-44, 47-57, 59, 61-63 as best understood are rejected under 35 
U.S.C. 102(b) 

In reference to claim 1 : 

Lampson et al. discloses a method for control and maintenance of an operational organizational 
structure, where the operational organizational structure is the organization structure of the 
distributed authentication system, the method comprising: 

Associating entities with cryptographic capabilities, where the certification authority is an entity 
associated with cryptographic capabilities; (Section 5.1 p.283-286) 

Organizing entities within the organizational structure as roles, and maintaining roles within the 
organizational structure, where an entity in organization structure can also be a Principal, and the 
example is given of the entity being organized as a role, where the role is manager, and the entity 
that is organized is Abadi. 

"Principals in Roles Abadi as Manager" (Section 2. Concepts P.268) 
In reference to claim 2: 

Lampson et al. (Section 4. 1 - Section 4.4 p. 275- 279) discloses a method wherein the method 
involves a public key infrastructure operation, where the public key infrastructure operation may 
be Encrypt, Decyrpt, or the selection of Keys. 



In reference to claim 3: 
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Lampson et al. (Section 2. Concepts P. 268) discloses a method wherein the control and 
maintenance further comprises: 

Assigning elements in said organizational structure to roles within said organizational structure, 
where the element is a person/people and the role is a manager, and the elements are assigned 
these roles in the manner in which "Abadi" is assigned to be manager. 



In reference to claim 4: 

Lampson et al. (section 5,3 P.290) discloses a method wherein the control and maintenance 
further comprises: 

Assigning elements in said organization structure to groups within said organizational structure, 
where a principal P may be a member of a group through a certificate which denotes 
membership. 

Claim 5 and 6 are rejected for the same reason as claim 4. 
In reference to claim 7: 

Lampson et al. (Section 9. Access Control . 305-308) discloses a method wherein said 
cryptographic method involves access control technology, where the access control technology is 
an access control list. 

Claim 8 is rejected for the same reason as claim 7. 
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In reference to claim 9: 

Lampson et al. (p.270 1st paragraph) discloses a method where said cryptographic method 
involves at least a database operation, where a database is searched to justify access control 
decisions. 

In reference to claim 16: 

Lampson et al. discloses a system for control and maintenance of an operational structure 
involving at least: 

• one cryptographic method, where the cryptographic method is public key cryptography 
(Section 4. 1 - Section 4.4 p. 275- 279) 

• entities within organizations, characteristics of said entities and relationships between 
said entities, where the entities are principals. (Section 2. Concepts P. 268) 

• where the capabilities, functions, characteristics, and relationships of entities 

are maintained and changed, where the changing is done through statements, and the statements 
denote actions that principals can say (Section 3.1- Section 4, pages 271-274) 

In reference to claim 17: 

Lampson et. al. (Section 2. Concepts, page 268) discloses a system where at least one of said 
entities is an individual in an organization under "People: Lampson, Abadi" 
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In reference to claim 18: 

Lampson et al. (Section 2. Concepts, page 268) discloses a system where at least one of said 
entities is a group of individuals in an organization. 

In reference to claim 19: 

Lampson et al (Section 2. Concepts, page 268) discloses a system where at least one capability 
is a role in an organization. 

In reference to claim 20: 

Lampson et al. (Section 2. Concepts, page 268) discloses a system where at least one capability 
is a task in an organization. 

In reference to claim 2 1 : 

Lampson et al. (Section 2. Concepts, page 268) discloses a system where at least one function is 
an operation by a functionary in an organization. 

In reference to claim 22: 

Lampson et al. (Section 2, Concepts, page 268) discloses a system where at least one function is 
an operation by a group of functionaries in an organization, where a group is a Principal and 
Principals may take on roles or "functions". 



In reference to claim 23: 
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Lampson et al. (p. 269 4*^ paragraph and Section 5.2, p. 286-290) discloses a system where at 
least one of said characteristics and relationships is represented in a directory. 

In reference to claim 25: 

Lampson et al. (Figure 6, page 287) discloses a system where at least one of said characteristics 
and said relationships is represented in a public key infrastructure directory. 

In reference to claim 27: 

Lampson et al. (Figure 6, page 287) discloses a system where said system's operations involve 
updating at least one public key infrastructure directory, where the authentication tree 
demonstrates the public key infrastructure directory. 

In reference to claim 30: 

Lampson et. al (p.283) discloses a system where said changing of the said maintained elements 
comprises change of databases, where the elements are principals and the credentials of an 
element are looked up in the database. 

In reference to claim 3 1 : 

Lampson et. al (p.283) discloses a system where said changing of the said maintained elements 
comprises change of cryptographic certification information within the public key infrastructure 
directories and further database changes, where the elements are principals, and a change of 
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cryptographic certification information would change the credentials of the element in the 
database. 

In reference to claim 32: 

Lampson et. al. (Section 5.1, 5.2, p.283-290) discloses a system where said entities, said 
characteristics and said relationships are maintained by combining database components and 
components of certification authorities of a public key infrastructure, 
where the entities are principals and their characteristics and relationships are maintained by 
combining information from the database (the credentials of the entities) and the certificates 
provided by the certification authorities of the public key infrastructure. 

In reference to claim 33: 

Lampson et. al. (p. 269 4* paragraph) discloses a system where said entities are represented in at 
least first directory, where the entities are principals and 

"/com/dec/src/burrows and /com/dec/src/abadi" are first directories where the entities are 
represented 

(Section 5.2, Path Names and Multiple Authorities, p. 287-290) discloses a system where said 
characteristics and said relationships are represented in at least second directory, where the 
second directory is tree or directory of authentication, and the paths within the directory hold 
represent the cryptographic relationships between the entities. 

Claim 34 is rejected for the same reason as claim 33. 
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In reference to claim 37: 

Lampson et. al. (Section 5. 1, A single certification authority, p. 283-286) discloses a system 
where said system's operation is activated by at least one designated entity amongst said entities, 
where the one designated entity is principal A, in first initiating the transaction. 

In reference to claim 38: 

Lampson et. al. (Section 5.1, A single certification authority, p. 283-286) demonstrates a system 
where said system's operation is activated based on agreed upon rules, where the agreed upon 
rules are apparent in the operation of the users interacting with the certification authority. 

In reference to claim 42: 

Lampson et. al. (Section 5.2, Path Names and Multiple Authorities, p. 287-290) discloses a 
system where said characteristics and said relationships define authorization rules based on 
access structure, where the relationships defined by the authorization tree defines the 
authorization rules. 

Claims 43 and 44 are rejected for the same reason as claim 42. 



In reference to claim 47: 
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Lampson et al. (p.286, 2^^ paragraph) discloses a system with the additional operation of 
monitoring operations within a system, where a timestamp is well known in the art to be 
considered a monitoring operation. 

In reference to claim 48: 

Lampson et al (p.286, l""^ paragraph) discloses a system with the additional operations of time 
stamping operations within said system. 

In reference to claim 49: 

Lampson et al. discloses a system of authentication in distributed systems where it is understood 
that at least one of said system's operations is performed distributedly via communication. 
Lampson et al. (Section 5. 1, A single certification authority, p. 283) specifically discloses 
contacting a certification authority as an operation performed distributedly. 

In reference to claim 50: 

Lampson et al. (p. 283) discloses a system where at least one of said system's operations is a 
distributed database operation. 

In reference to claim 52: 

Lampson et. al. (Section 5.1, A single certification authority, p. 283 - 286) discloses database 
system representing an organization involving directories representing entities, their 



Application/Control Number: 09/503,181 Page 14 

Art Unit: 2134 

characteristics, roles, and relationships together with their associations with cryptographic 
capabilities, the database system comprising following transactional components: 
Connection to cryptographic authorities representing the cryptographic capabilities associated 
with said entities, said characteristics, and said relationships, where the cryptographic authorities 
are certification authorities, and the entities are principals who communication to the CA's in 
cryptographic transactions. 

A maintenance system by which said database and said cryptographic authorities are maintained 
in coordination and by authorized parties assuring the representation of said organization and 
said cryptographic capabilities are soundly associated as defined by the coordination directives, 
where the maintenance of the authorizations is observed through the use of certification 
authorities, and using the database to check access control transactions. Lampson et al. (p. 270 1^^ 
paragraph) 

Maintainance transactions acting within said maintenance system, maintaining view representing 
an organization, where the maintenance transaction are database accesses to justify granting 
accesses Lampson et al. (p. 270 1^^ paragraph) 

In reference to claim 53: 

Lampson et. al. (Section 2, p. 268 - 270) discloses a system wherein said organization comprises 
a plurality of entities, where entities are principals. 



In reference to claim 54: 
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Lampson et. al (Section 5.2, Path Names and Multiple Authorities, p. 286-290) discloses a 
system wherein said cryptographic authorities is a plurality of at least one certification 
authorities. 

In reference to claim 56: 

Lampson et al. (Section 5.2, Path Names and Multiple Authorities, p. 286-290) discloses a 
system wherein said cryptographic authorities is a plurality of authorities organized 
hierarchically. 

In reference to claim 57: 

Lampson et al. (Section 9, Access Control, p. 305-307) discloses a system wherein said 
authorized parties are maintained by another instantiation of the system, where the other 
instantiation is the access control hst. 

In reference to claim 59: 

Lampson et al. (Section 5.2, Path Names and Multiple Authorities, p. 283-286) discloses a 
system wherein said coordinating directives involve cryptographic fields assuring integrity of the 
operation, wherein the coordination of the entities with the certification authorities assure 
integrity of the operation 



In reference to claim 6 1 : 
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Lampson et. al (p. 285) discloses a system wherein cryptographic capabilities involve digital 
certificates. 

In reference to claim 62: 

Lampson et. al. (Section 2, p. 268 - 270) discloses a system wherein said organization comprise 
various organizational units, where the organization is the distributed authentication system, and 
the organizational units are defined as Concepts and other such units as principals, people, 
machines, services groups, all of which comprise an organization. 

In reference to claim 63: 

Lampson et. al. (Section 2 and Section 3. 1,3.2, p. 268 - 272) discloses a system wherein said 
organization comprise of various organizational units where entities are defined in one unit and 
their roles are defined within a second unit, where the concept of Principals comprises entities, 
and the roles are defined in a second concept, in statements. 

Claim Rejections - 35 USC § 103 

6. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

7. Claims 11,12, 40, 45-46, 58, 60 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lampson et. al. 



Application/Control Number: 09/503,181 



Art Unit: 2134 



Page 17 



In reference to claim 1 1 : 

Lampson et al. discloses a method for operational organizational structure for authentication in 
distributed systems however does not explicitly disclose a method wherein the operational 
organizational structure represents at least one commercial organization. 

Lampson et al. additionally reveals intent to do this as disclosed in (Section 2. Concepts 
p. 268) where some of the possible values for the groups are SRC and DEC employees. 

It would have been obvious to one of ordinary skill in the art to use this in distributed 
systems requiring cryptographic security, including commercial organizations given Lampson et 
al.'s intent to apply the model to any kind of distributed system requiring authentication, 
including commercial organizations. 

Claim 12 is rejected for the same reason as claim 1 1 . 

In reference to claim 40: 

Lampson et al. (p. 283 - 290) discloses an instance of a database involving entities and 
relationship, but does not disclose an instance where the system's operation is a database 
maintenance operation. 

The examiner takes official notice that database maintenance operations are well known 
to those skilled in the art are necessary to maintain the function and integrity of databases. 
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It would have been obvious to one of ordinary skill in the art at the time of invention to 
include some instance where the operations being performed on the database were database 
maintenance operations given the need to maintain the database in some way. 

In reference to claim 45: 

The examiner takes official notice that logging system's operations are well known in the art. 

It would have been obvious to one of ordinary skill in the art at the time of invention to 
log the system operations of Lampson et. al.'s disclosure given the advantage of being able to 
have a formal record for the actions of the certification authorities and the logins by the users. 

Claim 46 is rejected for the same reason as claim 45. 

In reference to claim 58: 

Lampson et al. does not explicitly disclose a system wherein said authorized parties are assigned 
by management of said organization. However it is well understood in the art that the decision 
of cryptographic authorities to use, or the decision on the authorizations that certain party may 
have can only be granted by a higher authority. 

It would have been obvious to one of ordinary skill in the art at the time of invention to 
assign the authorized parties used in Lampson et al. by the management of the organization. 



In reference to claim 60: 
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Lampson et al. does not explicitly disclose a system wherein said maintaining view representing 
an organization may present different characteristics and components to different outside 
reviewers. 

The Unified Modeling Language (UML) 1.0 discloses different view representations of a 
particular model each subject to different reviews and each view presenting different 
characteristics and components. (UML Semantics version 1.0, p. 93-96) 

It would have been obvious to one of ordinary skill in the art at the time of invention to 
allow different aspects of the modeled system in Lampson et al. to be presented to different 
outside reviewers, given the advantage to observe one set of characteristics about the model to 
review only a particular aspect of the modeled system. 



Conclusion 

8. TfflS ACTION IS MADE FINAL. Apphcant is reminded of the extension of time policy 
as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of the final action and the advisory action is not mailed under after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension pursuant to 37 CFR 
1 .136(A) will be calculated from the mailing date of the advisory action. In no event, however, 
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will the statutory period for reply expire later than SIX MONTHS from the mailing date of this 
final action. 



examiner should be directed to Thomas M Ho whose telephone number is (703)305-8029. The 
examiner can normally be reached on M-F from 8:30am - 5:00pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gregory A. Morse can be reached at (703)308-4789. The fax phone numbers for the 
organization where this application or proceeding is assigned are (703)746-7239 for regular 
communications and (703)746-7238 for After Final communications. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703)306-5484. 

TMH 

June 11*, 2004 



9. 



Any inquiry concerning this communication or earlier communications from the 



GREGORY MORSE 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 




